Botnets

What is it? An internet robot? Well, more or less, however, there is a much more complicated explanation for this.

A botnet is the melding of many threats into one. The typical botnet consists of a bot server (usually an IRC server) and one or more bot clients. Botnets with hundreds or a few thousands of bot clients (called zombies or drones) are considered small botnets. In this typical botnet, the botherder communicates with bot clients using an IRC channel on a remote command and control (C&C) server. In step 1, the new bot client joins a pre-designated IRC channel on an IRC server and listens for commands. In step 2, the botherder sends a message to the IRC server for each client to retrieve.
In step 3, the clients retrieve the commands via the IRC channel and perform the commands. In step 4, the bot clients perform the commands. In step 5, the bot client reports the results of executing the command.

This arrangement is pleasing to hackers because the computer performing the actions isn’t their computer and even the IRC relay isn’t on their computer. To stop the botnet, the investigator has to backtrack from a client to an IRC server to the hackers. The hacker can add another layer of complexity by sending all commands to the IRC channel through an obfuscating proxy and
probably through a series of multiple hops, using a tool like Tor.

Having at least one of these elements in another country also raises the difficulty of the investigation. If the investigator is charged with protecting one or more of the botnet clients, they will usually stop the investigation once they realize the individual damage to their enterprise is low, at least too low to justify a complex investigation involving foreign law enforcement. Add to this the fact that some botnet codebases include commands to erase evidence, commands to encrypt traffic, and even
polymorphic stealth techniques, and it’s easy to see why hackers like this kind of tool.

Modern botnets are being fielded that are organized like real armies, with divisions of zombies controlled by different bot servers. The botherder controls a set of bot servers, which in turn each control a division of zombies. That way, if a communications channel is disrupted, only one division is lost. The other zombie divisions can be used to retaliate or to continue to conduct business

Alright, Alright, alright, What does a Botnet Do?

A botnet is a collection of networked computers. They can do anything you can imagine doing with a collection of networked computers. As simple as that.